Preventing weak passwords by reading your mind
Is your password weaker than you thought?
To help you find out, the Telepathwords weak-password prevention system will try to guess each character of your password before you type it.
indicates that the character you typed was one of Telepathwords guesses.
indicates that the character you typed was one Telepathwords could not guess.
If your password has few characters that Telepathwords could not guess, attackers may also find your password easy to guess.

How does Telepathwords work?

Telepathwords tries to predict the next character of your passwords by using knowledge of:
  • common passwords, such as those made public as a result of security breaches
  • common phrases, such as those that appear frequently on web pages or in common search queries
  • common password-selection behaviors, such as the use of sequences of adjacent keys

Can Telepathwords prevent all weak passwords?

No. Even if Telepathwords is unable to predict many characters of your password, it may be predictable to an attacker who knows more about how you choose passwords than Telepathwords can. Among the limitations of Telepathwords is that it may be unable to detect weak passwords that:
  • are based on information about you that we don’t have but attackers might (such as your username, anniversary, favorite food, or pet’s name)
  • contain common words or phrases from languages other than English
  • contain terms that became popular since we collected our database of common phrases and passwords
  • contain common behaviors that we have not anticipated and learned to recognize

What information does Telepathwords collect and why?

To guess the next character you'll type, we send the characters you have already typed to query our prediction engine. The prediction engine uses a database of common passwords and phrases that is too large for us send to your computer.
To measure how much of an effect Telepathwords has on your behavior, we also send and maintain a log of your mouse movements and the timings of when characters are added to or removed from your password. This log does not contain the actual characters you type, but it does indicate whether each character was among those predicted by Telepathwords. We use this log for research intended to increase our understanding of how users choose passwords and how to help them choose better passwords in the future. This research may include collaborators outside Microsoft (such as the collaborators at Carnegie Mellon University who helped build Telepathwords) and we may share these logs with them for this purpose.
To protect the contents of the log, we encrypt log entries on your browser, before they are sent to our server. We do not keep the keys required to decrypt the log on any publicly-facing server. (Our servers create a random, unique key for each log, transfer that key to your client, and encrypt the key with a public key that is not stored on any publicly-facing server.)

Who built Telepathwords?

Telepathwords was created at Microsoft Research (MSR) by our researchers and an intern from the PhD program Carnegie Mellon University (CMU). Key contributors include: